GDPR/CCPA Compliance: Commonly faced challenges and their solutions

Europe’s GDPR was the first significant data protection regulation to hit the digital landscape. It gave consumers a substantial amount of control over their personal information. Despite a slow start to achieving compliance, organizations quickly buckled up in the wake of record-breaking fines issued to companies like British Airways and Marriott. The GDPR also paved the way for many other comprehensive privacy laws around the world, such as Brazil’s LGPD and Singapore’s PDPA. One of the most talked-about law is California’s CCPA, which came up quickly after the introduction of GDPR and has been in effect since Jan 1 this year. Over 30 trade associations, companies, and organizations sent requests to the California Attorney General to delay the enforcement of CCPA in light of the coronavirus pandemic. The reply stated this situation has only heightened the value of protecting consumers’ privacy online and that the law will be enforced as scheduled on July 1 or upon finalizing the rules, whichever comes first.

Despite businesses struggling to move their resources and funds to more prioritized areas during this challenging situation, it wouldn’t make sense to come out of this pandemic victorious only to hit a wall with compliance subsequently. Moreover, businesses may not be able to withstand the cost of non-compliance. At least two proposed class actions alleging CCPA violations have already commenced in federal court in California.

Hence, organizations need to act quickly and adopt the necessary technology to achieve compliance. Based on findings in the recent 2020 Netwrix Data Risk & Security Report, here are some common compliance issues faced by companies.

We’ll also take a look at the solutions to these challenges, and the technology that businesses can invest in to overcome these problems:

  1. Collection of consumer data beyond the permissible limit

Most organizations lack specific data collection policies. 64% of respondents said they couldn’t confirm that their organizations gather and store only the minimum amount of customer data required. Of those, 34% are subject to the GDPR, and Article 25 of that law requires them to collect and process only the personal data that is necessary for each specific purpose. However, the majority (61%) of organizations that are subject to the GDPR collect more customer data than the law permits.

  1. Inability to discover and classify the collected data

41% of respondents that are subject to the GDPR and 42% of those subject to the CCPA admitted that they are unable to discover and classify data at the point of creation or are unaware that such a capability even exists. Both Article 30 of the European legislation and Section 1798.100 of the California law requires organizations to track all personal data they gather and ensure that its storage and use is aligned with the stated purposes of data collection.

  1. Unsure if regulated data is stored securely

The majority of CIOs (71%) and CISOs (73%) surveyed consider poor visibility into what data is being created or acquired to be a cybersecurity and compliance risk. 66% of CISOs and compliance officers are not sure if they store regulated information only in secure locations, and nearly half of them (45%) work in organizations subject to GDPR, which makes it vital that they are aware of their data.

  1. Not keeping a track on data sharing

Even though current privacy regulations require companies to track the footprint of the personal data they collect, 33% of organizations subject to the GDPR, and 25% of those subject to the CCPA do not track data sharing at all. Just 12% of organizations reported a security incident due to unauthorized data sharing during the previous year. Of those, more than half (55%) of the respondents needed days to discover it, and nearly half (44%) confirmed that the incident resulted in a data breach.

  1. No proper data retention program in place

Privacy laws like the GDPR require organizations to discard regulated data that is no longer needed in a timely fashion. However, 52% of organizations that are subject to the GDPR still haven’t established a retention program as required by Article 25.

 

Solutions:

  1. Work with senior management and data management teams to document the purposes of data collection and ensure that your organization gathers only the minimum amount of customer data to satisfy those needs.

Technology needed-

  • Dynamic data masking for conditional masking of data: role-based, and location-based, so only authorized people have access to private information.
  • Data minimization to reduce the risk of carrying unrequired sensitive data. Note that deletion and archival are not effective ways of data minimization, since you cannot retrieve data once deleted (if needed) and archival only moves the risk from one place to another. What you need is to tokenize inactive data.
  1. Automate data discovery and classification to ensure that the data you collect is handled according to your security policies and applicable compliance regulations.

Technology needed-

  • Sensitive data discovery: a tool that can find all your sensitive data with automated data discovery and with minimum false positives.
  1. Make sure you can track where your sensitive and regulated data resides at any given time and that you are alerted if it surfaces in a wrong location. Ensure that you always know if a user has been granted direct permissions to critical data.

Technology needed-

  • Data monitoring: monitor user activity for all actions performed on sensitive data in your enterprise. Ensure easy compliance reporting and breach notifications.
  • Data discovery, to pinpoint where the sensitive data is located.
  • Dynamic and Static data masking: so that only authorized people have access to data and irreversible masking for testing and development purposes
  1. Educate your employees about secure data-sharing techniques and explain the consequences of unauthorized data sharing.

Technology needed-

  • Data monitoring: automate monitoring of user activity to know if sensitive data is mishandled (do not wholly rely on users to do the right thing all the time, human-made mistakes are possible too).
  • Dynamic and Static data masking: protection of data to ensure a safe transfer.
  1. Establish a process for data disposal based on your business needs, legal and compliance requirements, and common sense. To reduce risks and control costs, make sure you can identify the data your organization no longer needs and remove it.

Technology needed-

  • Data minimization to establish a process for data disposal
  • Sensitive data discovery to identify the data your organization no longer needs

 

The MENTIS platform comprises a comprehensive solution that protects sensitive data along its lifecycle in the customer’s systems - providing capabilities from sensitive data discovery, masking, and monitoring to data retirement, effectively helping you achieve your data security and compliance needs. Engineered with unique, scalable architecture and built-in separation of duties, it delivers comprehensive, consistent, and reliable data and application security across various data sources (mainframe, relational databases, unstructured data, big data, on-premise, and cloud).  

We help protect the data of some of the most iconic industries and institutions in the world.  Our customer roster includes internet commerce pioneers and national airlines, higher education institutions ranging from the Ivy League to Land Grant schools; international industrial behemoths and retail giants; and global enterprises in the highly regulated financial services and healthcare industries. You can find out more here.